Ya, you have to escape all sql queries. Not being the php person around here, not sure how you do that with php.

Would that be with magic quotes?

I've read a bit about these, but I'm not exactly sure how they work.

if you just want to escape chars in a large string you can use addslashes() [php.net] and then when you output it you can use stripslashes() [php.net].

Nevermind I found the answer.

If anyone else was wondering. The quotes are escaped with the addslashes function.

well you can use the following before you execute your insert:

$escaped_query = mysql_escape_string($query)
$result = mysql_query($escaped_query)

mavherick

A quick word on Magic Quotes. Although it can be very tempting to use, they can prove to be a nightmare on portability. I highly advise against it unless you have a particular reason that they are needed. Standardization is good - magic quotes are not standard. :) Stick with add/strip slashes.

You can test to see if magic quotes are on using get_magic_quotes_runtime (0 = off, 1 = on).

addslashes() and stripslashes() are the functions to use to escape double quotes et al.

see:
www.php.net/get_magic_quotes_runtime
www.php.net/addslashes
www.php.net/stripslashes

Another thing to note is that if you are taking any user variable and running a sql query with it, you will want to run addslashes first. Even if the input is done on a drop down box w/ two choices. Inputs to a script can always be changed by a malicious user. Imagine if your yes/no input got changed to the string '";DROP *;' where the double qoutes are actually part of the string. The ; would indicate the end of 1 mySql query and the beginning of the next one. While the first one may return invalid, the next one will delete the entire database (oh fun, huh?).

Thanks for the heads up on that. I will definitely use addslashes from this point on.